# Enumeration Enumeration Install AADInternals ``` Set-ExecutionPolicy Unrestricted ``` Install the module ``` Install-Module AADInternals ``` Import the module ``` Import-Module AADInternals ``` Get tenant name, authentication, brand name (usually same as directory name) and domain name ``` Get-AADIntLoginInformation -UserName unsecure@yourdomain.com ``` Get tenant ID ``` Get-AADIntTenantID -Domain yourdomain.com ``` Get tenant domains ``` Get-AADIntTenantDomains -Domain yourdomain.com ``` Get all the information ``` Invoke-AADIntReconAsOutsider -DomainName ``` ROAD Tool ROADtools is a framework to interact with Azure AD. It consists of a library (roadlib) with common components, the ROADrecon Azure AD exploration tool and the ROADtools Token eXchange (roadtx) tool. install it via pip ``` roadrecon auth -u [MAIL] -p [PASSWORD] roadrecon gather ``` later ``` roadrecon gui ``` AzureAD Module AzureAD is a PowerShell module from Microsoft for managing Azure AD. Can be used only to interact with Azure AD, no access to Azure resources. ``` Install-Module AzureADcommand (needs internet) Import-Module AzureAD $creds=Get-Credential Connect-AzureAD -Credential $creds $passwd=ConvertTo-SecureString"[PASSWORD]" -AsPlainText -Force $creds=New-ObjectSystem.Management.Automation.PSCredential("[DOMAIN]",$passwd) Connect-AzureAD -Credential $creds ``` Get the current session state ``` Get-AzureADCurrentSessionInfo ``` Get details of the current tenant ``` Get-AzureADTenantDetail ``` AzureAD Users Enumerate all users ``` Get-AzureADUser -All $true ``` Enumerate a specific user ``` Get-AzureADUser-ObjectId [MAIL] Get-AzureADUser -SearchString "admin" ``` Search for users who contain the word "admin" in their Display name: ``` Get-AzureADUser-All $true|?{$_.Displayname -match "admin"} ``` List all the attributes for a user ``` Get-AzureADUser-ObjectId [MAIL] | fl * Get-AzureADUser-ObjectId [MAIL] |%{$_.PSObject.Properties.Name} ``` Search attributes for all users that contain the string "password": ``` Get-AzureADUser -All $true |%{$Properties=$;$Properties.PSObject.Properties.Name|%{if($Properties.$-match'password') {"$($Properties.UserPrincipalName)-$-$($Properties.$)"}}} ``` All users who are synced from on-prem ``` Get-AzureADUser -All $true |?{$_.OnPremisesSecurityIdentifier -ne $null} ``` All users who are from Azure AD ``` Get-AzureADUser -All $true |?{$_.OnPremisesSecurityIdentifier -eq $null} ``` Objects created by any user (use -ObjectIdfor a specific user) ``` Get-AzureADUser | Get-AzureADUserCreatedObject ``` Objects owned by a specific user ``` Get-AzureADUserOwnedObject -ObjectId [MAIL] ``` AzureAD Groups List all Groups ``` Get-AzureADGroup -All $true ``` Enumerate a specific group ``` Get-AzureADGroup -ObjectId .....-..... ``` Search for a groupbased on string in first characters of DisplayName(wildcard not supported) ``` Get-AzureADGroup -SearchString "admin" | fl * ``` To search for groups which contain the word "admin" in their name: ``` Get-AzureADGroup -All $true |?{$_.Displayname-match"admin"} ``` Get Groups that allow Dynamic membership (Note the cmdlet name) ``` Get-AzureADMSGroup |?{$_.GroupTypes -eq 'DynamicMembership'} ``` All groups that are synced from on-prem(note that security groups are not synced) ``` Get-AzureADGroup -All $true |?{$_.OnPremisesSecurityIdentifier -ne $null} ``` All groups that are from Azure AD ``` Get-AzureADGroup -All $true |?{$_.OnPremisesSecurityIdentifier -eq $null} ``` Get members of a group ``` Get-AzureADGroupMember -ObjectId ........-....-....-....-................. ``` Get groups and roles where the specified user is a member ``` Get-AzureADUser-SearchString'test'|Get-AzureADUserMembership Get-AzureADUserMembership -ObjectId unsecure@yourdomain.com ``` AzureAD Role Get all available role templates ``` Get-AzureADDirectoryroleTemplate ``` Get all roles ``` Get-AzureADDirectoryRole ``` Enumerate users to whom roles are assigned Enumerating Admin Roles in AzureAD ``` Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember ``` AzureAD Devices Get all Azure joined and registered devices ``` Get-AzureADDevice -All $true | fl * ``` Get the device configuration object (note the RegistrationQuotain the output) ``` Get-AzureADDeviceConfiguration | fl * ``` List Registered owners of all the devices ``` Get-AzureADDevice -All $true |Get-AzureADDeviceRegisteredOwner ``` List Registered users of all the devices ``` Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser ``` List devices owned by a user ``` Get-AzureADUserOwnedDevice -ObjectId [MAIL] ``` List devices registered by a user ``` Get-AzureADUserRegisteredDevice -ObjectId [MAIL] ``` List devices managed using Intune ``` Get-AzureADDevice -All $true |?{$_.IsCompliant-eq"True"} ``` ``` AzureAD Apps Get all the application objects registered with the current tenant (visible in App Registrations in Azure portal). An application object is the global representation of an app. Get-AzureADApplication -All $true Get all details about an application Get-AzureADApplication -ObjectId [ID NO] | fl * Get an application based on the display name Get-AzureADApplication -All $true | ?{$_.DisplayName-match"app"} The Get-AzureADApplicationPasswordCredential will show the applications with an application password but the password value is not shown. Get the owner of an application Get-AzureADApplication -ObjectId [ID NO] | Get-AzureADApplicationOwner | fl * Get Apps where a User has a role (exact role is not shown) Get-AzureADUser-ObjectId [MAIL] |Get-AzureADUserAppRoleAssignment | fl * Get Apps where a Group has a role (exact role is not shown) Get-AzureADGroup -ObjectId [ID NO] | Get-AzureADGroupAppRoleAssignment | fl * AzureAD Service Principals Enumerate Service Principals (visible as Enterprise Applications in Azure Portal). The service principal is a local representation for an app in a specific tenant and it is the security object that has privileges. This is the 'service account'! Service Principals can be assigned Azure roles. Get all service principals Get-AzureADServicePrincipal -All $true Get all details about a service principal Get-AzureADServicePrincipal -ObjectId [ID NO] | fl * Get a service principal based on the display name Get-AzureADServicePrincipal-All$true|?{$_.DisplayName-match"app"} Get the owner of a service principal Get-AzureADServicePrincipal-ObjectId [ID no] | Get-AzureADServicePrincipalOwner | fl * Get objects owned by a service principal Get-AzureADServicePrincipal-ObjectId [ID no] | Get-AzureADServicePrincipalOwnedObject Get objects created by a service principal Get-AzureADServicePrincipal-ObjectId cdddd16e-2611-4442-8f45-234rwf234 | Get-AzureADServicePrincipalCreatedObject Get group and role memberships of a service principal Get-AzureADServicePrincipal -ObjectId [ID no] | Get-AzureADServicePrincipalMembership | fl * Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://turme.gitbook.io/blog/azure-ad-penetration-test/enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.